Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

TOP OF THE NEWS

In a new draft of the National Strategy for Securing Cyberspace, the Bush Administration has reduced the number of proposals by 40%. The new draft eliminates many proposals for America's corporations to improve security, focusing instead on suggestions for the US government agencies. It also eliminates a proposal for the White House to consult with privacy advocates on the impact of security proposals on civil liberties. -http://www.msnbc.com/news/855722.asp?0cv=CB20

20 December 2002 Wisconsin Man Will Serve Up To 20 Years In Prison for Computer Crimes and Other Offenses

Joseph Konopka, 26-year-old Wisconsin man who has gone by the alias Dr. Chaos, agreed to a plea bargain in which he will serve a sentence of up to twenty years for a series of crimes that includes "creating counterfeit software and interfering with computers." A person familiar with the investigation notes "Konopka was an extremely capable systems administrator, and of the six charges to which he pled guilty, ? four were computer crime charges, including use of a sniffer, computer intrusion, transmission of malicious code, and software piracy. He was also a serious threat to critical infrastructures." -http://www.jsonline.com/news/metro/dec02/104890.asp-http://www.landfield.com/isn/mail-archive/2002/May/0063.html

6 January 2003 California Disclosure Law May Apply Outside California

A California law that will take effect July 1, 2003, requires companies in the state to inform their customers in the event of a computer intrusion that exposes customer names in conjunction with certain sensitive personal data, like a social security number. According to Scott Pink, deputy chair of the American Bar Association's Cybersecurity Task Force, the law will also pertain to on-line businesses with customers in California. -http://online.securityfocus.com/news/1984************************ SPONSORED LINKS ******************************
Privacy notice: These links redirect to non-SANS web pages.
(1) Alert! Top 10 SPAM CONTROL techniques for the enterprise ***
Free White Paper http://www.sans.org/cgi-bin/sanspromo/NB116(2) Prevent DDoS, worm propagation, and unsanctioned network
traffic. Best practices white paper
http://www.sans.org/cgi-bin/sanspromo/NB117(3) ALERT: Automated Vulnerability Audit for your Web Applications-15
Day FREE Trial http://www.sans.org/cgi-bin/sanspromo/NB118***********************************************************************
SANS Local Mentor Programs begin in 31 cities in 5 countries
during the next 30 days. Details and schedule at the SANS Web site:
http://www.sans.org/onlinetraining/mentor.php***********************************************************************

6 January 2003 PR Firm Error Could Have Exposed Customer Data

The administrative password to a server run by Carmichael Lynch, a public relations and advertising company, was posted on a web site for at least six months. The password could have been used to access a variety of files, including customer databases for some of Carmichael Lynch's big clients. The posting containing the password has been removed and a spokeswoman for the company said there is no evidence that anyone took advantage of the vulnerability. -http://www.wired.com/news/infostructure/0,1377,57066,00.html

3 January 2002 Clarke Says Cyberterrorism is a Real Threat

Chairman of the President's Critical Infrastructure Protection Board Richard Clarke says the threat of cyberterrorism should not be dismissed. Clarke maintains that solutions to cyberspace threats aren't as clear as those to physical security threats, and that we need to handle the threat by eliminating cyberspace vulnerabilities. -http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,77238,00.html[Editor's Note (Murray): There is a difference between "not dismissing" and what the government has been doing. In security we must strike a difficult balance between false comfort and false alarm. The CSIS Paper suggests that the government's present rhetoric risks desensitizing us to alarms. This overstatement, not to say hype, is not limited to cyber space. If one uses the Government's own (five point) scale it seems to me that they are consistently one notch too high. (Schultz): I hope that the use of the term "eliminating vulnerabilities" in this news item was a misquote. Certainly Richard Clarke knows that vulnerabilities can never be completely eliminated. Terminology such as "minimizing vulnerabilities" or "managing vulnerabilities" would have been far better. ]

3 & 6 January 2003 Supreme Court Justice Rescinds Stay in DeCSS Case

US Supreme Court Justice Sandra Day O'Connor rescinded an emergency stay she had placed on a ruling by the California Supreme Court in a case involving the publishing of DeCSS, a DVD encryption breaking utility. As a result of O'Connor's action, the defendant in the case, Matthew Pavlovich, may distribute DeCSS again, though he could also be sued again. The Electronic Frontier Foundation's legal director lauded O'Connor's action, observing "[t ]he entertainment companies need to stop pretending that DeCSS is a secret." -http://news.com.com/2100-1023-979197.html-http://www.cnn.com/2003/TECH/biztech/01/06/us.dvdencrypt.ap/index.html[Editor's Note (Schultz): DeCSS encryption amounts to little more than "security by obscurity." You'd think that by now the entertainment industry would quit beating a dead horse and instead get real by trying to develop a stronger encryption scheme. ]

3 January 2003 Wall Street Business Disaster Recovery Centers Can be in NYC

The FBI has arrested a 19-year-old for allegedly distributing documents containing technical information about DirecTV satellite smart cards to several satellite pirate web sites; the documents could be used to break DirecTV smart cards. Igor Serebryany will be charged under the 1996 Economic Espionage Act and could face a ten-year prison sentence and a fine of up to $250,000. There is no evidence indicating Serebryany benefited financially from his actions. -http://www.wired.com/news/politics/0,1283,57039,00.html-http://news.com.com/2100-1023-979001.html-http://www.vnunet.com/News/1137793[Editor's Note (Northcutt): This case has enormous importance. As we become an information economy, trade secrets and other intellectual property are among the most valuable assets any organization has. The Economic Espionage act has not been used by the government as much as it should have been so it will be interesting to see how this plays out. ]

2 January 2003 Killboot Macro Virus

A macro virus called "Killboot" has the capacity to overwrite the Master Boot Record (MBR) on physical hard drives of infected machines. "Killboot" infects Word documents. There have been few reports of infections in the wild. -http://www.vnunet.com/News/1137774

2 January 2003 TSA Removes Password Protected Documents from Internet

The Transportation Security Administration (TSA) has removed four password-protected documents from its web site after concerns were raised about the security of the documents' contents. -http://news.com.com/2100-1023-978981.html

2 January 2003 Confidence in On-Line Transactions is Increasing

A quarterly survey from the Conference Board finds that consumer confidence in the security of on line transactions is increasing. 33% of those surveyed believed their transactions are secure, compared with 27.5% a year ago. 25% believe their personal information is safe, up from 22% last year. -http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=1985136[Editor's Note (Schultz): It is important to understand that changes in statistics over time could be due to sampling error, too. Whether or not these statistical changes represent shifts in attitudes remains to be seen. ]

30 December 2002 Putty SSH Vulnerability Exploit Posted on Bugtraq

Exploit code for a vulnerability in the Putty SSH client was posted on the Bugtraq mailing list. The code, which was posted by the security research division of a Spanish firm called I-Proyectos, was accompanied by a statement that it was only for educational and testing purposes. -http://www.eweek.com/article2/0,3959,801913,00.asp[Editor's Note (Murray): Nice people do not publish exploit code or do business with those that do. One certainly does not do business with them for no better reason than that they publish exploit code. Imagine one's reaction to IBM or Oracle publishing exploit code. While I admit that this is a novel ethical decision for some individuals, I have trouble understanding how so many businesses get it wrong. Emmanuel Kant where are you when we really need you? ]